A Short Guide To Ransomware

Uploaded on 2021-10-29 in TECHNOLOGY--Resilience, FREE TO VIEW

Ransomware is a type of malware is designed to deny access to computer systems or sensitive data until a ransom is paid. 

While ransomware has been around for decades, ransomware attacks are becoming more sophisticated, spreading through phishing emails, spear phishing, email attachments, vulnerability exploits, computer worms and several other attack vectors.

Many cyber attacks give attackers access to your computer to install ransomware including:

 

●      Social engineering and phishing: Ransomware spreads by tricking users into downloading an infected email attachment that masquerades as a file from a colleague or boss.

●      Malvertising: Malvertising uses an infected iFrame or invisible element to spread ransomware. The iFrame redirects to a page that executes malicious code or an exploit kit to perform a drive-by download without user knowledge.

●      Vulnerabilities: More aggressive forms of ransomware like WannaCry exploit vulnerabilities to infect computers without user action.

Once infected, ransomware may encrypt some or all files.

After the initial ransomware infection, a ransom note explains the files are inaccessible. The victim must send a ransom payment to buy the decryption key to decrypt their files. Traditionally, ransom payments were demanded via prepaid cash services, Western Union transfers, gift cards, or premium rate SMS services. Nowadays, cybercriminals demand their ransom to be paid in Bitcoin and other cryptocurrencies.

According to the National Security Institute, the average ransom fee requested has increased from $5,000 in 2018 to around $200,000 in 2020. Cybersecurity Ventures predicts that ransomware will cost $6 trillion annually.

It is worth noting that in many cases, victims don't report ransomware attacks to law enforcement, creating artificially low reported ransomware numbers. In recent years, estimates of the number of ransomware attacks has reached 204.24 million.

The threat assessment experts at Upguard have produced a detailed review of various different  types of ransomware from 1989 to the present and here are three signicant expamples: 

 AIDS Trojan

One of the first known examples of ransomware was the AIDS Trojan written by evolutionary biologist Dr. Joseph Popp. Popp sent infected floppy diskettes to hundreds of victims under the heading "AIDS Information Introductory Diskette".

The Trojan replaced the AUTOEXEC.BAT file, which would then be used to count the number of times the computer has booted. Once the boot count reached 90, the ransomware hid directories and encrypted the names of all files on the hard drive (rendering the system unusable).

The victim would then be asked to 'renew the license' and contact PC Cyborg Corporation for payment, which involved sending $189 to a P.O. box in Panama, even though the decryption key could be extracted from the code of the Trojan.

Joseph Popp was ultimately declared mentally unfit to stand trial but promised to donate the profits from the ransomware to fund AIDS research.

WannaCry

WannaCry, an encrypting ransomware computer worm, was initially released on 12 May 2017. The ransom demand ranged from $300 to $600 to be paid in the cryptocurrency Bitcoin. WannaCry ransomware is also known as WannaCrypt, WCry, Wana Decrypt0r 2.0, WannaCrypt0r 2.0 and Wanna Decryptor.

It targets computers running outdated versions of the Microsoft Windows operating systems by exploiting the EternalBlue vulnerability in the Server Message Block (SMB) protocol. This allowed the ransomware to spread without victim participation. A group known as The Shadow Brokers stole the EternalBlue exploit from the United States National Security Agency (NSA) a few months prior to the cyber attack.

The EternalBlue exploit was discovered, but not disclosed, by the NSA prior to the attack. The NSA has since been criticized for not disclosing the exploit to Microsoft or the public on CVE, which may have allowed it to be patched prior to WannaCry.

Despite quick patching and the discovery of a kill switch domain, WannaCry was able to spread to an estimated 200,000 computers across 150 countries, causing hundreds of millions to billions of dollars in damages. Much of WannaCry's success was due to poor patching cadence.

Security experts, the United States, United Kingdom, Canada, Japan, New Zealand and Australia have formally asserted North Korea was behind the attack.

Ryuk

Ryuk is a sophisticated ransomware run by WIZARD SPIDER, a cyber crime group, who targets large enterprises for high ransom payments.  Rather than exploiting vulnerabilities or using a spray and pray phishing method, Ryuk is spread through spear phishing emails and an Emotet geo-based download function.

Once infected, a ransom note named RyukReadMe.txt is displayed containing a static template except for a changing email address and Bitcoin wallet. The email addresses usually contain one email at protonmail.com and another at tutanota.com, typically esoteric actors, directors or Instagram models' names are used.

Based on observed transitions to known Ryuk BTC wallets, the ransom demand varies significantly depending on the size and value of the victim's organization. Ideed, The Russia-based group has made roughly $3.7 million off 52 known transactions.

Want more ransomware examples?

For a detailed list of ransomware examples please visit the Upguard  website

You Might Also Read:

GCHQ Boss Says Ransomware Attacks Have Doubled In A Year:

 

« CISA, FBI & NSA Issue Ransomware Warning Alert
Iranian Petrol Stations Suffer A Massive Attack »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Foundation for Strategic Research (FRS)

Foundation for Strategic Research (FRS)

The Foundation for Strategic Research is France's main independent think tank on strategic, defense and security issues. Cyber security is covered as part of the study areas.

Federal Office For Information Security (BSI)

Federal Office For Information Security (BSI)

The BSI (Bundesamt fur Sicherheit in der Informationstechnik) is the federal cyber security agency and the chief architect of secure digitalisation in Germany.

Nexthink

Nexthink

Using our solution, hundreds of IT departments effectively balance offering a productive and enjoyable end-user experience with making the right decisions to secure and transform the digital workplace

SecuTech Solutions

SecuTech Solutions

SecuTech is a global leader in providing strong authentication and software licensing management solutions.

Tata Consultancy Services

Tata Consultancy Services

Tata Consultancy Services is a global leader in IT services, consulting & business solutions including cyber security.

GreyCortex

GreyCortex

GreyCortex uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.

Corrata

Corrata

Corrata is an award-winning provider of mobile security and data control solutions for enterprises.

CyberCube

CyberCube

CyberCube provide world-leading cyber risk analytics for the cyber insurance market.

Ridge Canada Cyber Solutions

Ridge Canada Cyber Solutions

Ridge Canada helps insurance brokers and insurance buyers understand, evaluate, and secure cyber coverage that is tailored to their business.

Dasera

Dasera

Dasera’s Radar and Interceptor products deliver visibility, governance, and protection solutions for data-agile companies.

Appsian Security

Appsian Security

Appsian provides powerful solutions that help organizations take control of their business critical data and financial transactions.

RealTyme

RealTyme

RealTyme is a secure communication and collaboration platform with privacy and human experience at its core.

Creative Destruction Lab (CDL)

Creative Destruction Lab (CDL)

Creative Destruction Lab is a nonprofit organization that delivers an objectives-based program for massively scalable, seed-stage, science- and technology-based companies.

Morpheus Enterprises

Morpheus Enterprises

Morpheus Enterprises offer managed security solutions designed to keep your web applications secure and your business running smoothly.

SecurityStudio

SecurityStudio

SecurityStudio is a continuous cybersecurity risk management platform that allows decision-makers to quickly identify the most immediate threats and make confident risk informed decisions.

Ark Technology Consultants

Ark Technology Consultants

Ark Technology Consultants is a unique IT Services Firm which blends technology solutions with consultative insight around governance and process management.